From d1ba38f7c96e74901779089fea6d09b0c7c2521d Mon Sep 17 00:00:00 2001
From: Kelvin Zhang <zhangkelvin@google.com>
Date: Thu, 17 Sep 2020 11:32:29 -0400
Subject: Check for overflow before allocating memory fore decompression.

On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.

Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
---
 install/install.cpp     | 8 +++++++-
 install/verifier.cpp    | 6 ++++++
 install/wipe_device.cpp | 7 ++++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'install')

diff --git a/install/install.cpp b/install/install.cpp
index 753373206..1b220cb39 100644
--- a/install/install.cpp
+++ b/install/install.cpp
@@ -246,7 +246,13 @@ bool SetUpAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, int
     LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES;
     return false;
   }
-  uint32_t properties_entry_length = properties_entry.uncompressed_length;
+  auto properties_entry_length = properties_entry.uncompressed_length;
+  if (properties_entry_length > std::numeric_limits<size_t>::max()) {
+    LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES
+               << " because's uncompressed size exceeds size of address space. "
+               << properties_entry_length;
+    return false;
+  }
   std::vector<uint8_t> payload_properties(properties_entry_length);
   int32_t err =
       ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length);
diff --git a/install/verifier.cpp b/install/verifier.cpp
index d8bc53f69..3f0260138 100644
--- a/install/verifier.cpp
+++ b/install/verifier.cpp
@@ -323,6 +323,12 @@ static std::vector<Certificate> IterateZipEntriesAndSearchForKeys(const ZipArchi
   std::string_view name;
   ZipEntry64 entry;
   while ((iter_status = Next(cookie, &entry, &name)) == 0) {
+    if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+      LOG(ERROR) << "Failed to extract " << name
+                 << " because's uncompressed size exceeds size of address space. "
+                 << entry.uncompressed_length;
+      return {};
+    }
     std::vector<uint8_t> pem_content(entry.uncompressed_length);
     if (int32_t extract_status =
             ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size());
diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp
index 0f896c43b..915c87b45 100644
--- a/install/wipe_device.cpp
+++ b/install/wipe_device.cpp
@@ -51,7 +51,12 @@ std::vector<std::string> GetWipePartitionList(Package* wipe_package) {
   std::string partition_list_content;
   ZipEntry64 entry;
   if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) {
-    uint32_t length = entry.uncompressed_length;
+    auto length = entry.uncompressed_length;
+    if (length > std::numeric_limits<size_t>::max()) {
+      LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME
+                 << " because's uncompressed size exceeds size of address space. " << length;
+      return {};
+    }
     partition_list_content = std::string(length, '\0');
     if (auto err = ExtractToMemory(
             zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length);
-- 
cgit v1.2.3